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In the claims; 

1 . (Previously Presented) Computer apparatus configured to discover roles from 
structure existing amongst users to whom resources have been assigned, the apparatus 
comprising: 

a processor, 

an input for receiving a set of nodes of users, and of resources, each user of said 
set comprising a node with an assignment of resources the sets being partitioned, one 
part comprising said users and one part comprising said resources, said assignments being 
incorporated as links between respective users and resources over said partitioning, and 

a discovery unit associated with said input and operable via said processor, 
configured for automatically searching for patterns within said links between said users 
and said resources, 

a grouping unit, associated with said discovery unit, configured to use said 
discovered patterns to form at least one group from said user nodes or said resource 
nodes using said automatically discovered patterns, such that users or resources having 
all of a subset of at least two links to common resources or users are placed into a same 
group, and 

an output unit configured for outputting said group of users or resources as a role. 

2. (Previously Presented) The apparatus of claim 1, wherein said 
relationships are access permissions. 

3. (Previously Presented) The apparatus of claim 1, wherein said 
relationships are usage levels of respective resources by respective users. 

4. (Original) The apparatus of claim 2, wherein said relationships further 
comprise user access permission levels for respective resources. 

5. (Original) The apparatus of claim 2, wherein said at least one group is 
definitive of a user role on said network. 
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6. (Previously Presented) The apparatus of claim 1, wherein said user nodes 
comprise entities having attributes, and said relationships represent a respective user 
possessing a respective attribute. 

7- (Original) The apparatus of claim 2, wherein said pattern recognition unit 
is associated with a search engine operable to use a search tree to begin with a single 
resource and its associated users, and iteratively to add resources and remove users not 
having a predefined relationship with said iteratively added resources, to meet a resource 
number, or a user number constraint. 

8. (Original) The apparatus of claim 7, wherein said search engine is 
operable to use a homogeneity measure to determine whether to consider a candidate 
grouping in said search. 

9. (Original) The apparatus of claim 7, wherein said search engine is 
operable to use a homogeneity measure to determine in which order to consider a 
candidate grouping in said search. 

10. (Original) The apparatus of claim 7, wherein said search engine is 
operable within said iterative stages to add further resources common to a current set of. 
users. 

11. (Original) The apparatus of claim 10, wherein said search engine is 
operable to compute a set of all users related to a current set of resources. 

12. (Original) The apparatus of claim 11, wherein said search engine is 
operable to consider for expansion all resources outside said current set of resources that 
have at least one relationship connection with a current set of users. 

13. (Original) The apparatus of claim 8, wherein the set of users associated 
with each of said nodes is associated with attributes, and wherein said homogeneity 
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measure is the percentage of occurrence of a given attribute, multiplied by the log value 
thereof, summed over all such users in said result. 

14. (Original) The apparatus of claim 8, wherein the set of resources 
associated with each of said nodes is associated with attributes, and wherein said 
homogeneity measure is the percentage of occurrence of a given attribute, multiplied by 
the log value thereof, summed over all such resources in said result. 

15. (Original) The apparatus of claim 8, wherein said homogeneity measure is 
the percentage of occurrence of a given resource relationship for any of the users 
associated with at least one of the resources of said node, multiplied by the log value 
thereof, summed over all users of said node in said result. 

16. (Original) The apparatus of claim 8, wherein said homogeneity measure is 
the percentage of occurrence of a given user relationship for any of the resources 
associated with at least one of the users of said node, multiplied by the log value thereof, 
summed over all resources of said node in said result. 

17. (Original) The apparatus of claim 1, wherein said pattern recognition unit 
is operable to use said pattern recognition within an iterative tree searching process. 

18. (Previously Presented) The apparatus of claim 1, wherein said pattern 
recognition unit is operable to insert said groupings as an intermediate set amongst said 
nodes. 

19. (Previously Presented) The apparatus of claim 1, wherein said users and 
said resources are arranged into three sets, em intermediate one of said sets comprising 
predetermined relationship dependent groupings of at least some of the users in a first of 
said sets, said pattern recognition unit being operable to use said pattern recognition to 
add new groups to said intermediate set. 
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20. (Previously Presented) The apparatus of claim 1, wherein said input is 
associated with a graphical expositor, configured to present said input in a graph, said 
graphical expositor being operable to graphically represent said user nodes and said 
resource nodes within said sets. 

21. (Original) The apparatus of claim 20, wherein the graphical expositor is 
user interactive to manually modify the groupings discovered by the pattern recognition 
engine. 

22. (Previously Presented) The apparatus of claim 20, wherein said graphical 
expositor is further operable to partition the graph into sub-graphs, each of the sub-graphs 
itself being a partitioned graph having at least two sets, the sub-graphs being limited to a 
subset of the users in one of the sets, and further comprising all the resources in the other 
set that are linked to users of said subset, and wherein said pattern recognition unit is 
further operable to perform groupings on each of the subgraphs, and then to merge the 
results into a full graph. 

23. (Previously Presented) The apparatus of claim 20, wherein said graphical 
expositor is further operable to partition the graph into sub-graphs, each of the sub-graphs 
itself being a bi-partite graph limited to a subset of the resources in the second set, and 
further comprising all the users in the first set that are linked thereto, and wherein said 
pattern recognition unit is further operable to perform groupings on each of the 
subgraphs, and then to merge the results into a full graph. 

24. (Original) The apparatus of claim 20, wherein said graphical expositor, is 
user interactive to allow an operator to review user group associations and user resource 
relations, and to allow said operator to manipulate user access rights. 

25. (Previously Presented) Role discovery method for electronically grouping 
nodes according to existing relationships with resources, the method comprising: 
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receiving an arrangement of nodes and resources, said resources being partitioned 
from said nodes and with predetermined relationships between ones of said resources and 
corresponding nodes, and 

automatically discovering existing relationship patterns between said 
arrangement of nodes and resources across said partitioning, 

using said discovered patterns, grouping said arrangement of nodes, wherein said 
grouped nodes share relationships with at least two common resources, and 

outputting said grouping of nodes having common patterns of at least two 
existing relationships as a role. 

26. (Previously Presented) A reverse engineering device for discovering 
existing structure in a partitioned arrangement of nodes and resources wherein nodes 
have relationships with various of said resources, the device comprising: 

a processor, 

an input configured for receiving said partitioned arrangement of nodes and 
resources, said arrangement comprising at least two sets, said partitions being of said 
nodes and said resources respectively, and with predetermined relationships defined 
between said nodes and said resources across said sets, and 

a discovery unit configured to work with said processor, for automatically 
discovering relationship patterns within said existing relationships using pattern 
recognition on said nodes, said resources and said predetermined relationships, 

a node-grouping unit associated with said pattern recognition unit and configured 
to operate with said processor to use said relationship patterns to form groups from said 
nodes, such that those nodes that share similar subsets of at least two relationships with 
said resources are placed in a group together, and 

an output configured to output respective groups of nodes having said similar 
subsets of at least two relationships as roles. 
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27. (Currently Amended) Computer device comprising: 
a processor 

a first series of user definitions, each user in said definitions defined as a user 

node; 

a second series of resource definitions, each resource in said definitions defined as 
a resource node; 

access data indicating access of users to respective resources; and 

a pattern recognition unit operable with said processor for automatically 

recognizing pre-existing patterns in said access data, said patterns indicative of a way of 

grouping said user n odes of said each user so as to discover groups of nodes having 

common subsets of at least two resources, and 

a group definition unit operable with said processor and said pattern recognition 

unit configured to output groups so discovered as roles. 

28. (Previously Presented) The apparatus of claim 1, wherein said role comprises 
said users or said resources sharing only said subset. 

29. (Previously Presented) Pattern recognition apparatus for grouping nodes 
according to relationships with other nodes, the apparatus comprising: 

an input for receiving nodes partitioned into a first set and a second set, and with 
relationships between nodes in respective first and second sets defined by links across 
said partition, and 

a pattern recognition processor associated with said input, for using pattern 
recognition on said links to find relationship patterns within said links, and from said 
patterns to form at least one group fi"om nodes of said first set, wherein said nodes being 
formed into said group share relationships with at least two nodes in said second set. 

30. (Previously Presented) Group discovery method for automatically discovering 
groups according to an initially unknown structure in existing electronically held data, 
said electronically held data comprising nodes partitioned into first and second data sets, 
wherein links exist within said data between nodes in said first data set and nodes in said 
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second data set, the initially unknown structure being within said links, the method 
comprising: 

electronically searching said data, and 

grouping nodes in said first set according to respective links such that all nodes in 
said first set having links to at least two commonly held nodes in said second set are 
assigned to a same group, thereby discovering groups in said data according to said 
initially unknown structure. 

31. (Previously Presented) A method of automatically grouping users having links 
or attributes into one or more groups based on said links or attributes, the method 
comprising: 

providing a group for users sharing all of a subset of at least two of said links or 
attributes, and 

outputting said provided groups. 

32. (Previously Presented) The apparatus of claim 1, wherein said discovery unit 
is configured to carry out said searching by one member of the group consisting of a 
clustering algorithm, an incremental search and a search tree. 

33. (Previously Presented) The apparatus of claim 1, wherein said outputting said 
group comprises outputting a characteristic of said group. 

34. (Previously Presented) A search method for automatically searching initially 
unknown structures in existing electronically held data, said electronically held data 
comprising nodes partitioned into first and second data sets, wherein links exist within 
said data between nodes in said first data set and nodes in said second data set, the 
initially unknown structure being within said links, the method comprising: 

electronically searching said data according to said links, and 
grouping nodes in said first set according to respective links such that all nodes in 
said first set having links to at least two commonly held nodes in said second set are 
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assigned to a same group, thereby discovering groups in said data according to said 
initially unknown structure. 

35. (Previously Presented) Search apparatus for automatically searching initially 
unknown structures in existing electronically held data, said electronically held data 
comprising nodes partitioned into first and second data sets, wherein links exist within 
said data between nodes in said first data set and nodes in said second data set, the 
initially unknown structure being within said links, the apparatus comprising: 

a search unit, configured for electronically searching said data according to said 
links, and 

a structuring unit, associated with said search unit, configured for grouping nodes 
in said first set according to respective links such that all nodes in said first set having 
links to at least two commonly held nodes in said second set are assigned to a same 
group, thereby discovering groups in said data according to said initially unknown 
structure. 



